Infosecurity professionals working in businesses that handle payment card data can add another item to their ‘to do’ lists.
October 2010 saw the PCI Security Standards Council release the latest version of its standards covering both payment card and payment applications.
The changes – which come into effect in January – aim to provide “greater clarity and flexibility [and] to facilitate improved understanding of the requirements and eased implementation for merchants”, according to the Council.
Rather than bring in significant new rules and regulations, the new standard – Version 2.0 – will remove some of the ambiguities in earlier iterations, as well as making it easier for businesses, especially smaller retailers, to bring their operations in line with the requirements.
In addition, Version 2.0 adds additional guidance in two areas: virtualised IT environments, and for the Payment Application Data Security Standard (PA-DSS) – payment applications running on hardware terminals. A further change allows organisations to rank vulnerabilities according to risk, as part of a wider move towards a risk-based approach to the PCI Data Security Standard (PCI-DSS).
Businesses that have been struggling to implement the standard – and there is evidence to suggest that some businesses, especially smaller retailers or merchants, have found compliance with the standard a burden – will be relieved to discover that there are no significant new requirements imposed by Version 2.0.
The PCI Security Standards Council has however pointed out that, with the release of Version 2.0, work begins on Version 3, with the organisation now following a three-year lifecycle for all its standards developments.
With little evidence that the security threat posed to online payment card data will diminish over the coming years, organisations that need to comply with PCI-DSS will want to keep a close watch on the council’s work, so they are prepared for any further changes.
In addition, the council can issue updates with “minor revisions” throughout the lifecycle of PCI-DSS 2.0, as it has done with the previous version.
Evolution, not revolution
“Version 2.0 is not in addition to, but a clarification of the standard. The aim is to have more black-and-white than grey areas. I’ve been in meetings with three or four other people where everyone disagrees [on meaning]”, says Manish Chawda, who runs the UK Centre of Excellence PCI Hub for PwC, the consulting firm. “The standard is open to interpretation. At the end of day, we are trying to protect cardholder data and there must be a clear indication of how to do that.”
Clarifications to language and wording should not place an undue burden on businesses that have already achieved compliance with the current version, 1.2.1.
"Companies handling payment card information need to know where fraud occurs, and how to mitigate their risks" |
Neira Jones, Barclaycard |
Companies that have started to move towards PCI compliance, but have not yet achieved it, also have the option of continuing to work towards compliance with 1.2.1, as businesses are allowed to achieve validation against that standard until December 2011. For businesses that have yet to start out with PCI, however, or that have not made significant progress, the newer version may well be an easier option, not least because of Version 2.0’s clearer language.
“Organisations should prepare now for Version 2.0’s approach”, advises Christos Dimitriadis, chairman of the external relations committee at ISACA. “Some requirements have changed because some identified threats and risks have changed. You should identify which parts you comply with and which parts are applicable for your organisation.”
According to Dimitriadis, awareness of PCI-DSS and compliance is improving steadily across European organisations. But there is still work to be done, both among merchants and also organisations that supply them with services that fall under the remit of the standard.
These include a number of IT services, including data networking and storage and archiving services, as well as those that relate specifically to payment card data. And smaller businesses – which, in turn, may be more likely to use external services – need to review their work on PCI-DSS to make sure not just that the rules are understood, but that the necessary work is being carried out.
“The standard is at a very good level, but it needs to be translated effectively by those [who] implement it”, cautions Dimitriadis. “The most important improvements will be in human factors and procedures.” The technical elements of the standard are, he suggests, reasonably well understood, at least by larger firms.
The wider issue of compliance by smaller businesses remains an issue for both the payment card industry and information security professionals. The PCI Security Standards Council has created a dedicated website aimed at this target group, and the payment card networks, banks and card issuers have their own projects to educate smaller businesses on card payment security.
The banks and card issuers are also well positioned to monitor emerging threats to payment card and other sensitive financial data, not least because of their large networks and close relationships with other parts of the security industry.
Often, smaller firms use the self-certification compliance mechanisms for PCI-DSS, and may not have a security professional on hand to help with the process. Alternatively, they might rely on their existing IT supplier or integrator to manage any changes, so the initiatives from within the payment industry provide a useful, and free, additional source of know-how and assurance.
"If you are good in information security, you are good in PCI" |
Manish Chawda, PwC |
“At Visa Europe we recently launched an awareness campaign around common threats to the payment system that are frequently exploited to gain unauthorised access to payment card data”, says Shane Balfe, technical manager at the payment network.
“The two largest root causes of data breaches tend to be as a consequence of either an organisation using default passwords on systems or not properly checking inputs prior to execution, allowing hackers to easily carry out so-called SQL injection attacks. So we have recently provided specific guidance on that.”
Changing threats, changing responses
Although some security measures – such as not using default passwords – are obvious, others such as the need to lock out SQL injection attacks are less so, especially outside information security circles. One of the challenges facing all businesses is the need to keep up with the changing nature of online crime, as well as changes to IT architecture that can create new vulnerabilities.
Security measures carried out in the real world, especially Chip and Pin, have changed the nature of payment card fraud, points out Neira Jones, head of payment security at Barclaycard. The difficulty of ‘skimming’ a Chip and Pin card has forced fraudsters to move their attention to ‘cardholder not present’ fraud via mail order and, especially, the web.
This, in turn, has led fraudsters to search out new technical vulnerabilities and made the protection of card data all the more pertinent. “Companies handling payment card information need to know where fraud occurs, and how to mitigate their risks”, says Jones. “The risk is throughout the card payment value chain, so we provide advice on where to concentrate your efforts.”
"There will always be changes to the standards as new technologies come out" |
Paul Hanley, KPMG |
Fraudsters, Jones adds, will always look for the “path of least resistance”, whether that is looking for website vulnerabilities, merchants that store card data when they should not, or even call centre staff who have access to card information.
Businesses should not, of course, be storing sensitive card information (known as sensitive authentication data, or SAD) for longer than is necessary to carry out a transaction. PCI-DSS prohibits storing such information, even if it is encrypted.
However, information security experts concede that the practice remains relatively widespread, and not only among smaller businesses.
Practices, such as using a credit card number to identify a customer, should have been phased out. At the same time, the payment card industry is looking at tokenisation, where sensitive data can be replaced by a token that allows the transaction to be tracked, but which is of no value to a cybercriminal.
As yet, there is no single standard for tokenisation, and the PCI Security Standards Council has yet to issue specific guidance on the issue, although some of its members, including Visa, have.
“PCI is endorsing some tokenisation and has a working committee to establish what they can and can’t accept”, says Jonathan Lampe, vice president for product management at Ipswitch, a security vendor. “But if you replace credit card data with hashes, how unique and crypto-safe do [the tokens] have to be? Do they have to be irreversible? There are a number of theoretical issues.”
Virtual changes
Similar concerns apply to virtualisation, including how safe it is to mix virtual machines handling PCI-DSS compliant data and unsecured data in a single environment. Although Version 2.0 of the standard includes more specific guidance on virtualisation than previous versions of PCI-DSS, security experts predict there will be further work in this area as virtualisation is used more widely by IT departments.
“There will always be changes to the standards as new technologies come out”, says Paul Hanley, a director in KPMG’s performance and technology practice.
“Virtualisation is a new area that wasn’t as prolific in the time the first standard was drafted.” Potentially, changes to a virtualised environment could mean changes to PCI-DSS compliance, so IT operations and security will need to stay in step, wherever customers’ card data is being handled.
This illustrates another area where payment security specialists expect to see further guidance, either from the PCI Security Standards Council or its member organisations: reducing the scope of PCI-DSS compliance.
Meeting all the requirements of PCI-DSS can be expensive, so organisations will increasingly seek to reduce the number of times sensitive authentication data is handled, reduce its passage through non-essential communications systems, and eliminate its storage.
This will allow businesses to operate fewer systems under PCI-DSS rules, and concentrate their efforts on ensuring that those that need to comply are properly protected.
Businesses should also act now to ensure that their PCI-DSS work fits in with their overall information security regime. If you are good in information security, you are good in PCI,” says PwC’s Manish Chawda. “If an organisation has adopted [security] best practice they’ve already gone beyond the PCI mandates.”
At Visa Europe, Shane Balfe agrees. “Good security requires constant vigilance and it is important that PCI-DSS is embedded in a solid governance structure”, he says. “All employees [must] understand the value of such data, not just for the business itself, but also on a personal level. The loss of this data can affect their customers.”